Summary. 2025 was the toughest year the French health sector has ever faced in terms of cyberattacks. A leading independent-sector medical software vendor paralysed for days, several teaching hospitals hit, millions of records leaked. This article draws the technical and organisational lessons — without finger-pointing.
The 2025 context
Since 2020, the health sector has been the number-one target of cybercriminal groups. The reason is simple: medical data resells for up to 20 times more than banking data on black markets, because it enables targeted fraud (fake health invoices, medical identity theft, extortion).
In 2025, France was particularly exposed: architecture still largely centralised, many software vendors with uneven security practices, under-funded hospital IT departments, and an attack surface widening as digitisation progresses (Ségur, Mon Espace Santé).
A textbook case: the centralised medical software
November 2025. A major player in French independent-sector medical software — used by more than 20,000 practitioners — suffered a ransomware-type cyberattack. Consequence: several days without access for practices, patient records unreachable, electronic care forms impossible to transmit.
This case became emblematic for two reasons:
- Centralised architecture — all records of the 20,000+ doctors relied on the same cloud infrastructure. A single point of failure for an entire segment of the French healthcare system.
- No degraded mode — without cloud access, the doctor could not consult any patient file, even for urgent cases. No local encrypted cache, no local copy.
The hospitals and teaching hospitals hit
Several French hospital facilities were hit in 2025: some saw their emergency care systems degraded for weeks. Patient transfers to other facilities, postponed scheduled operations, medical record leaks on the dark web.
ANSSI and the Ministry of Health stepped up support programmes (CaRE — Cybersecurity Acceleration and Resilience of Facilities), but the upgrade takes months, even years.
The 4 technical lessons
1. Centralised architecture is a systemic risk
When 20,000 doctors depend on a single infrastructure, a successful attack has a systemic impact that far exceeds the victim company. The alternatives: distributed architectures, edge computing, multi-site replication, and client-side resilience (local encrypted cache).
2. Client-side encryption protects against leaks
In a client-side end-to-end encrypted architecture (client-side encryption with key held by the user), a database leak yields unreadable blobs. The attackers who stole French hospital records in 2025 were able to resell them because they were readable. In a client-side end-to-end encrypted architecture, the leak would have been a commercial non-event.
3. Offline-first mode saves lives
When the cloud goes down and a doctor must see their patient, having a local encrypted copy of the record makes the difference between continuity of care and suspended consultations. Modern health applications, including MDMC, are built as offline-first PWAs with automatically updated local encrypted cache.
4. Portability is a form of resilience
If you can't export your data, you're a prisoner of a vendor. If they are attacked, you are stuck with them. One-click FHIR R4 export, contractually guaranteed, is structural insurance.
The 3 organisational lessons
1. Sovereignty is not a nice-to-have
Platforms hosting with foreign providers (AWS, Azure) add legal risk (US Cloud Act) to cyber risk. Providers qualified SecNumCloud by ANSSI offer a dual guarantee: technical resilience + legal immunity. Details here.
2. Ethical drug databases matter
Prescription Assistance Software certified by the French Health Authority relies on various drug databases. Some (like Vidal) belong to international groups whose main business is pharmaceutical marketing studies. The Thériaque and BCB databases, non-commercial, are more ethical alternatives.
3. Post-incident transparency is a trust test
Players who communicate quickly and honestly about what happened and the measures taken retain their customers. Those who downplay or stay silent lose twice: once from the attack, a second time from the loss of trust.
What you can do as a patient
- Activate Mon Espace Santé — you'll at least have your record on the public-service side, independent of private vendors
- Export your data regularly — FHIR R4 format if possible, or at least key reports as PDF
- Ask your doctor where their software is hosted — you have the right to know, and a serious doctor will know how to answer
- Use a sovereign partner app — hosted in France, client-side end-to-end encrypted, portable
What you can do as a practitioner
- If you only use cloud software, consider a complementary tool with local encrypted cache to keep consulting in degraded mode
- Check your vendor's HDS certification — it's a regulatory obligation
- Test your backups at least quarterly (untested backup = no backup)
- Take part in the ANSSI CaRE and ANS CERT Santé programmes — free and useful
Key takeaway
2025 accelerated awareness. Healthcare cybersecurity is not an IT department's technical topic — it is a matter of continuity of care, hence a public health issue. Sovereign, client-side end-to-end encrypted and offline-first architectures are no longer premium options. They are becoming the minimum foundation of a digital health worthy of the name.